[luau] News - June 2002 Netcraft Web Server Survey
Warren Togami
warren at togami.com
Mon Jul 1 02:55:01 PDT 2002
Wow. Sharp increase of over 2 million new sites running Apache in June,
while Microsoft IIS dropped by about 700k.
This report also has another reminder to patch your Apache. If you haven't
updated your Apache within the past week, you may be vulnerable to a remote
exploit.
On a related note, BSD users, be sure to patch your OpenSSH too. Most BSD
versions are vulnerable to another exploit, even OpenBSD. This is the first
remote exploit of OpenBSD default install in 6 years. Most Linux
distributions did not have the vulnerable part of the OpenSSH exploit
compiled or enabled by default, but it wouldn't hurt to upgrade your OpenSSH
too.
----- Original Message -----
From: "Mike Prettejohn" <mhp at netcraft.co.uk>
To: <warren at togami.com>
Sent: Monday, July 01, 2002 1:16 AM
Subject: June 2002 Netcraft Web Server Survey
The June 2002 Netcraft Web Server Survey is out;
http://www.netcraft.com/survey/
Top Developers
Developer May 2002 Percent June 2002 Percent Change
Apache 21120388 56.21 23154909 59.67 3.46
Microsoft 11902821 31.68 11239613 28.96 -2.72
Zeus 849089 2.26 799173 2.06 -0.20
iPlanet 824245 2.19 687004 1.77 -0.42
Active Sites
Developer May 2002 Percent June 2002 Percent Change
Apache 10411000 65.11 10964734 64.42 -0.69
Microsoft 4121697 25.78 4243719 24.93 -0.85
iPlanet 247051 1.55 281681 1.66 0.11
Zeus 214498 1.34 227857 1.34 0.00
Around the Net
Web more vulnerable to attack now than at any time previously.
The publication of serious vulnerabilities in Microsoft-IIS and Apache
over the last three weeks has created a situation where a majority of
internet sites are likely to be accessible to remote exploit. On 11th
June, Microsoft released a trio of advisories, the most serious of
which referred to a [2]HTR buffer overflow that could be used to
remotely compromise machines running Microsoft-IIS.
Although Netcraft can not explicitly test for the vulnerability
without prior permission from the sites, around half of the
Microsoft-IIS sites on the internet have .[3]htr mapping enabled,
which indicates that the site is likely to be vulnerable to the
attack, and indeed that some number will already be under the control
of an external attacker.
On the 17th June it was [4]reported that many versions of the Apache
web server were vulnerable to a buffer overflow through flawed
functionality affecting its "Chunked Encoding" mechanism. If
exploited, this could lead to a remote system compromise and exploits
are already known to have been been developed for Windows, FreeBSD and
OpenBSD. There is an active debate on whether exploits are possible
for Linux and Solaris.
Apache administrators have reacted quite quickly to the problem, and
within a week of first publication, well over 6 million sites have
been upgraded to Apache/1.3.26, issued by the Apache project in
response to the problem. However, this still leaves around 14 Million
potentially vulnerable Apache sites.
With over half of the internet's web servers potentially vulnerable,
conditions are ripe for an epidemic of attacks against both
Microsoft-IIS and Apache based sites, and the first [5]worm,
targeting sites running Apache on FreeBSD, has been spotted this
weekend.
Although potentially very disruptive, worms have a positive aspect, in
that they draw the administrators attention to vulnerable servers, and
once patched the server is usually no longer available as a platform
for more insidious activity. Last year, immediately prior to the Code
Red worm, Netcraft was finding that around 1 in six ecommerce sites
running Microsoft-IIS taking a security test from Netcraft for the
first time had already been successfully compromised, and had a
backdoor giving an external attacker control over the machine. The
clear up from Code Red had the positive effect of flushing the
majority of these backdoors out of the internet.
Additionally, Microsoft has yesterday announced [6]details of some
severe vulnerabilities in its Commerce Server software which give
remote attackers the ability to execute arbitrary code on the server.
There are around 36,000 sites using Commerce Server [or Site Server,
its predecessor] including a significant number of ecommerce sites and
banks.
It is noteworthy that the vulnerabilities are equally applicable to
SSL sites, and that in particular, most intrusion detection (IDS)
facilities will not flag attacks implemented over SSL because the
traffic is encrypted. This can provide a false sense of confidence to
administrators, and, symmetrically, a suitable means of a stealthy
attack.
Everyone is encouraged to test their networks for vulnerabilities;
details on Netcraft's own security testing services are available
[1]here.
References
1. http://www.netcraft.com/security/
2.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms02-028.asp
3. http://www.netcraft.com/security/public-advisories/htr.html
4. http://httpd.apache.org/info/security_bulletin_20020620.txt
5. http://dammit.lt/apache-worm
6.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-033.asp
Internet Research from Netcraft.
Netcraft does commercial internet research projects. These include
custom cuts on the Web Server Survey data, hosting industry analysis,
corporate use of internet technology and bespoke projects. All of the data
is gathered through network exploration, not teleresearch.
sales at netcraft.com
Network Security Testing from Netcraft.
Netcraft provides automated network security testing of customer networks
and consultancy audits of ecommerce sites, Clients include IBM,
Hewlett Packard, Deloitte & Touche, Energis, Britannic Asset Management,
Guardian Royal Exchange, Lloyds of London, Laura Ashley, etc.
Details at http://www.netcraft.com/security/
To unsubscribe from the Netcraft Web Server Survey Announcements list
send the message
unsubscribe webserver-survey
to majordomo at netcraft.com
To resubscribe send the message
subscribe webserver-survey
Mike
--
Mike Prettejohn
mhp@@netcraft.com Phone +44 1225 447500 Fax +44 1225 448600
Netcraft Rockfield House Granville Road Bath BA1 9BQ England
More information about the LUAU
mailing list